Hello all, We believe we have found one gap in the IMA/kexec interaction. And we need your inputs as Linux Kernel maintainers/experts to fix that gap. ------------- Problem: ------------- The current Kernel behavior is IMA measurements are snapshotted at 'kexec load' and not at 'kexec execute'. And IMA log is then carried over to the new Kernel after 'kexec execute'. Some systems can be configured to call 'kexec load' first, and followed by 'kexec execute' after some time. (as opposed to calling 'load' and 'execute' in one single kexec command). In this scenario, if new IMA measurements are added between 'kexec load' and 'kexec execute' - the TPM PCRs are extended with the IMA events between load and execute, but those IMA events are not carried over to the new kernel after kexec soft reboot. This results in mismatch between TPM PCR quotes and the actual IMA measurements log post kexec. =========================================================================== ------------- Scenario ------------- Here is the order of operations I followed to confirm the issue. (a) Call 'kexec load' #kexec -s -l /etc/ima/Image.kexec --reuse-cmdline (b) Touch one of the files that would be measured by IMA #cat /run/systemd/journal/streams/8:16351 (c) Verify that this measurement event is part of the IMA log. #cat /sys/kernel/security/ima/ascii_runtime_measurements | grep 16351 (d) Call 'kexec execute' #kexec -s -e (e) After kexec soft reboot, the file measurement event is not present in the IMA log anymore. Because this measurement in the previous kernel had happened after the IMA log was snapshotted in the previous kernel. #cat /sys/kernel/security/ima/ascii_runtime_measurements | grep 16351 =========================================================================== ------------- Solution ------------- Tyler pointed me to the past work in this area. (Please see references section below) I used it to create the patches for capturing IMA events in between "kexec load" and "kexec execute". (please find attached) - 0001-kexec_file-Add-mechanism-to-update-kexec-segments.patch - 0002-ima-update-kexec-buffer-before-executing-soft-reboot.patch - 0003-ima-on-soft-reboot-save-the-measurement-list.patch My patches are based on [1] and [2] in the References section below. I also looked at [3]. It has a few kexec_*_handover_buffer(). I was not sure if they were needed. As per my limited understanding in kexec space [1] and [2] together seemed sufficient for the solution. =========================================================================== ------------------------------------------ Problems in the solution above ------------------------------------------ Earlier my solution patches were crashing the Kernel. After a few fixes, the patches are not crashing the Kernel anymore, but they don't seem to be working to capture the events between 'kexec load' and 'kexec execute' either. When I was debugging it using printks and gdb, I found one potential location where it was failing. test_0001-move-ima_add_kexec_buffer-from-kexec-load-to-execute.patch has that location. I would really appreciate if someone of you could help me provide further guidance to make progress on this work. ================================================================== ---------------- References ---------------- [1] [PATHC v2 5/9] ima: on soft reboot, save the measurement list https://lore.kernel.org/lkml/1472596811-9596-6-git-send-email-zohar@linux.vnet.ibm.com/ [2] PATCH v2 4/6] kexec_file: Add mechanism to update kexec segments. https://lkml.org/lkml/2016/8/16/577 [3] [PATCH 1/6] kexec_file: Add buffer hand-over support https://lore.kernel.org/linuxppc-dev/1466473476-10104-6-git-send-email-bauerman@linux.vnet.ibm.com/T/ ~Tushar